PRIVACY POLICY

Phished BV is committed to protecting your personal data and in compliance with the applicable legislation.

1. The controller

Phished BV (hereinafter Phished, “we”, “us” or “our”) with registered office at Bondgenotenlaan 138, 3000 Leuven, Belgium and registered number 0735.908.019, is the controller for the processing of your personal data.

2. The personal data we process

Depending on your role, we collect the following data:

  • Customers: general identification data (such as name, title/function, address, mobile phone or telephone number, email, assigned identification data), financial identification data (such as identification and bank account numbers), financial transactions (such as amounts paid or to be paid), compensations, professional activities (including the company, the nature of the activity, the nature of the goods/services used, business relations), contracts and agreements with Phished, any other personal data that they lawfully provided Phished. The source of this personal data is you or your employer.
  • Partners: general identification data (such as name, title/function, address, mobile phone or telephone number, email, assigned identification data), financial identification data (such as identification and bank account numbers), financial transactions (such as amounts paid or to be paid), compensations, professional activities (including the nature of the activity, the nature of the goods/services used, business relations), contracts and agreements with Phished, any other personal data that they lawfully provided Phished. The source of this personal data is you or your employer.
  • Prospects: general identification data (such as name, title/function, address, mobile phone or telephone number, email), professional activities (including the nature of the activity, the nature of the goods/services used, business relations), any other personal data that they lawfully provided Phished. The source of this personal data is you or your employer.
  • Suppliers: general identification data (such as name, title/function, address, mobile phone or telephone number, email, assigned identification data), financial identification data (such as identification and bank account numbers), financial transactions (such as amounts paid or to be paid), compensations, professional activities (including the nature of the activity, the nature of the goods/services supplied), contracts and agreements with Phished, any other personal data that they lawfully provided Phished. The source of this personal data is you or your employer.
  • Applicants: all personal data which they communicated and lawfully provided Phished (such as a resume and/or cover letter);
  • Website visitors: personal data collected through cookies (see our cookie policy);
  • Social media users: advertising through the personal data they provided to social media channels.

In the exercise of its activities, Phished is also a processor of personal data (for example when sending a phishing simulations to audience specified by the customer). The processing of personal data by Phished, as a processor, is part of the agreements between Phished and the controller(s) and does not constitute a part of this privacy policy.

If you provide us with personal data of a third party, such as your staff, freelancers, customers, suppliers, partners, then you warrant Phished that you have (a) lawfully obtained such personal data from the third party and lawfully provided it to Phished, (b) provided Phished with personal data that is accurate and up to date, (c) provided said person with relevant information about the existence and content of this policy.

3. Purposes

We process the personal data for the following purposes:

  • 3.1. Execution of the agreement: the creation of a personal account and/or profile, the correct execution and observance of the agreements (including communications), invoicing, customer service and support: so that we can help you in case of questions and/or problems.
  • 3.2. Purchases via website: the correct execution and observance of the agreements regarding purchases via the website (including communications), processing orders and any after-sales services, invoicing.
  • 3.3. Direct marketing: Sending out email notifications and/or newsletters. If you no longer wish to receive these communications, you cans use the opt-out provided. Afterwards, you will no longer receive the unwanted direct marketing communications, and we will no longer process your personal data for these direct marketing purposes.
  • 3.4. Applicants’ management.
  • 3.5. Necessary for the functioning of our company: to improve and optimize our services (including through cookies and advertising via social media), to maintain and improve the Website (including through cookies), to ensure the security of our Website and services, to prevent abuse or improper use of our services, to store personal data as evidence or for the purpose of legal, administrative or extrajudicial proceedings, to store personal data to obtain or maintain insurance coverage, manage risk or obtain expert advice, to store personal data to ensure attendance at/participation in events.
  • 3.6. To comply with legal obligations (for example in connection with anti-money laundering and counter terrorism legislation).
  • 3.7. In general: you are not obliged to share your personal data with us, but if you do not communicate the requested personal data, it is possible that we cannot provide you with the desired services and/or products.

4. Legal basis for processing the personal data

The processing of personal data under section 3.1 and 3.2 is based on the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

The processing of personal data of prospects under section 3.3 and the processing of personal data through cookies (other than strictly necessary and functional cookies) under section 3.5 is based on the consent of the data subject.

The processing of personal data of prospects under section 3.3 for customers and the first contact with prospects, as well as the other processing of personal data under section 3.4 and 3.5 is based on our legitimate interests (only when the legitimate interest of our company override the interest of the data subjects). The interests were set out under section 3.3-3.5.

The processing of personal data of prospects under section 3.6 is necessary to comply with a legal obligation to which we are subject.

5. Sharing the personal data with others/international transfers

We only disclose relevant aspects of personal data to third parties if those parties are contractually bound to Phished or act on behalf of or under contract to Phished. Naturally, we have made agreements with these parties regarding the protection of your personal data.

However, we may disclose your personal information when such disclosure is necessary to comply with a legal obligation to which we are subject, or to protect your (vital) interests. We may also disclose your personal information when such disclosure is necessary to establish, exercise or defend legal claims, in court proceedings or in administrative or extra-judicial proceedings.

We do not provide personal data to companies outside the European Economic Area, unless there is an adequacy decision, standard provisions, appropriate safeguards, binding corporate rules or transfers referred to in Article 49 (1) GDPR.

In the event of a full or partial reorganisation, merger, demerger, acquisition or sale of assets, we are entitled to transfer personal data to the relevant third party.

You acknowledge that personal data that you submit for publication via our website or services may be available worldwide via the Internet. We cannot prevent the use (or misuse) of such personal information by others.

6. Storage and deletion of personal data

We retain personal data only for as long as necessary for the fulfilment of the purpose set out above. As the retention period depends on the purpose, but also on the type of personal data, these retention periods vary.

7. Your rights

We’ve summarised your rights in this section. As some of these rights are complex, not all details are included in our summaries. Therefore, you should read the relevant laws and regulatory guidelines for a full explanation of these rights.

  • 7.1. Right of access: you have the right to confirm whether or not we process your personal data and, where we do, have access to the personal data, together with the additional information mentioned in article 15 GDPR. Safeguarding the rights and freedoms of others is not affected, we will provide you with a copy of your personal data.
  • 7.2. Right of rectification: you have the right to have incorrect and/or incomplete personal data corrected and/or completed.
  • 7.3. Right to erase: have the right to have your personal data deleted in the circumstances mentioned in article 17 (1) GDPR, such as when you withdraw your consent for consent-based processing or object to the processing for direct marketing purposes.

    Phished will then delete your personal data without undue delay, unless the exclusions mentioned in article 17 (3) GDPR apply. For example, Phished will not need to delete your data in case the processing is necessary in order to comply with a legal obligation.
  • 7.4. Right to restrict processing: you have the right to restrict the processing of your personal data in the circumstances mentioned in article 18 (1) GDPR, such as in case you contest the accuracy of the personal data.
  • 7.5. Right to data portability: you have the right to receive the personal data concerning you, which you provided us, in a structured, commonly used and machine-readable format and to transmit such data to another controller if (a) the processing is based on consent or necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract, and (b) such processing is automated. However, this right does not apply where this would harm the rights and freedoms of others.
  • 7.6. Right to withdraw consent: insofar as the legal basis for our processing of your personal data is consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing before its withdrawal.
  • 7.7. Right to lodge a complaint with the supervisory authority: if you believe that our processing of your personal data violates data protection laws, if you do not agree with Phished’s position or if you have any comments regarding the exercise of your, you have the right to file a complaint with the competent supervisory authority.
  • 7.8. Right to object to processing: you have the right to object to our processing of your personal data for direct marketing purposes at any time. Practically, you can do this via the “opt-out”-option. Afterwards, you will no longer receive the unwanted direct marketing communications, and we will no longer process your personal data for these direct marketing purposes. Of course it is possible, that we may still contact you in connection to the execution of the agreement.

You also have the right to object to our processing of your personal data based on Article 6 (e) or (f) GDPR for reasons relating to your specific situation. If you object, we will no longer process your personal information unless we can demonstrate compelling legitimate reasons for the processing that exceed your interests, rights and freedoms, or the processing to establish, exercise or defend legal claims.

In addition, you have the right to object to our processing of your personal data for scientific, historical or statistical (research) purposes for reasons relating to your specific situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8. Contact

In case you want to contact us regarding this policy, you can contact us via mail to our DPO: [email protected].

If you are contacting us because you want to exercise one of your rights (see section 7), we kindly request you to indicate clearly which right you want to exercise. Please be as specific as possible when exercising your rights.

9. Cookies

You can read more about our use of cookies via the following link.